[gnash] Fix CVE-2012-1175
Hicham HAOUARI
hicham at fedoraproject.org
Thu Mar 15 09:38:44 UTC 2012
commit bd4283bccf12a904edfc98beef684e58098e95d4
Author: Hicham HAOUARI <hicham.haouari at gmail.com>
Date: Thu Mar 15 09:37:44 2012 +0000
Fix CVE-2012-1175
gnash-0.8.10-integer-overflow.patch | 63 +++++++++++++++++++++++++++++++++++
gnash.spec | 9 ++++-
2 files changed, 71 insertions(+), 1 deletions(-)
---
diff --git a/gnash-0.8.10-integer-overflow.patch b/gnash-0.8.10-integer-overflow.patch
new file mode 100644
index 0000000..9a218d9
--- /dev/null
+++ b/gnash-0.8.10-integer-overflow.patch
@@ -0,0 +1,63 @@
+From bb4dc77eecb6ed1b967e3ecbce3dac6c5e6f1527 Mon Sep 17 00:00:00 2001
+From: Benjamin Wolsey <bwy at benjaminwolsey.de>
+Date: Sat, 10 Mar 2012 14:52:50 +0000
+Subject: Fix crash in GnashImage.cpp
+
+---
+diff --git a/libbase/GnashImage.cpp b/libbase/GnashImage.cpp
+index 11c6956..03a6939 100644
+--- a/libbase/GnashImage.cpp
++++ b/libbase/GnashImage.cpp
+@@ -26,6 +26,7 @@
+ #include <boost/scoped_array.hpp>
+ #include <boost/shared_ptr.hpp>
+ #include <algorithm>
++#include <cassert>
+
+ #ifdef USE_PNG
+ # include "GnashImagePng.h"
+@@ -44,6 +45,21 @@ namespace image {
+
+ namespace {
+ void processAlpha(GnashImage::iterator imageData, size_t pixels);
++ bool checkValidSize(size_t width, size_t height, size_t channels) {
++
++ if (width == 0 || height == 0) return false;
++
++ assert(channels > 0);
++
++ boost::uint32_t maxSize = std::numeric_limits<boost::int32_t>::max();
++ if (width >= maxSize || height >= maxSize) return false;
++
++ maxSize /= channels;
++ maxSize /= width;
++ maxSize /= height;
++
++ return maxSize > 0;
++ }
+ }
+
+ GnashImage::GnashImage(iterator data, size_t width, size_t height,
+@@ -55,6 +71,8 @@ GnashImage::GnashImage(iterator data, size_t width, size_t height,
+ _height(height),
+ _data(data)
+ {
++ // Callers should check dimensions
++ assert(checkValidSize(_width, _height, channels()));
+ }
+
+ /// Create an image allocating a buffer of height*pitch bytes
+@@ -66,8 +84,9 @@ GnashImage::GnashImage(size_t width, size_t height, ImageType type,
+ _width(width),
+ _height(height)
+ {
+- const size_t max = std::numeric_limits<boost::int32_t>::max();
+- if (size() > max) {
++ // Constructed from external input, so restrict dimensions to avoid
++ // overflow in size calculations
++ if (!checkValidSize(_width, _height, channels())) {
+ throw std::bad_alloc();
+ }
+ _data.reset(new value_type[size()]);
+--
+cgit v0.9.0.2
diff --git a/gnash.spec b/gnash.spec
index 366653b..4dd9fbf 100644
--- a/gnash.spec
+++ b/gnash.spec
@@ -3,7 +3,7 @@
Name: gnash
Version: 0.8.10
-Release: 1%{?dist}
+Release: 2%{?dist}
Epoch: 1
Summary: GNU flash movie player
@@ -35,6 +35,9 @@ Requires(preun): /sbin/install-info
# Patch0 : http://www.mail-archive.com/gcc-bugs@gcc.gnu.org/msg338792.html
Patch0: %{name}-%{version}-add-unistd-header.patch
+# Patch1 : Fix CVE-2012-1175
+# http://git.savannah.gnu.org/cgit/gnash.git/commit/?id=bb4dc77eecb6ed1b967e3ecbce3dac6c5e6f1527
+Patch1: %{name}-%{version}-integer-overflow.patch
%description
Gnash is capable of reading up to SWF v9 files and op-codes, but primarily
@@ -128,6 +131,7 @@ to a MySQL database. The API is similar to the standard MySQL one.
%prep
%setup -q
%patch0 -p1 -b .unistd-header
+%patch1 -p1 -b .integer-overflow
autoreconf -if
%build
@@ -284,6 +288,9 @@ touch --no-create %{_datadir}/icons/hicolor
%{_libdir}/gnash/plugins/mysql.so
%changelog
+* Thu Mar 15 2012 Hicham HAOUARI <hicham.haouari at gmail.com> - 1:0.8.10-2
+- Fix CVE-2012-1175 ( rhbz #803443 #803444 )
+
* Mon Feb 27 2012 Hicham HAOUARI <hicham.haouari at gmail.com> - 1:0.8.10-1
- Update to 0.8.10
- Drop patches backported from upstream
More information about the scm-commits
mailing list